Is it possible to exploit `-i lo -j ACCEPT` in iptables?

Is it possible to exploit `-i lo -j ACCEPT` in iptables?

Most of iptable setups contain INPUT -i lo -j ACCEPT rule. Without it it's quite difficult to connect to any locally hosted stuff. However what is not entirely clear to me - is locally running process absolutely the only way to get caught by this line? I mean can it be exploited by something like delivery of crafted packet with src ip 127.0.0.1, dst 127.0.0.1 when ip forwarding is enabled on some interfaces?

答案1

I think if you would use two more lines as show below then events you described would be blocked:

-A INPUT -4 ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -6 ! -i lo -d ::1/128 -j REJECT
-A INPUT      -i lo -j ACCEPT

相关内容